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(54) Risk assessment method 

(57) A risk assessment method for executing a risk 
assessment based on a security policy and the config- 
uration of a current information system. An external API 
interface converts the security policy, a current system, 
and Information asset data into a data format Intended 
for risk assessment. A risk assessment program exe- 
cutes a risk assessment based on the security policy 



and the current system. Controls are also selected as 
appropriate. Depending on the result of the selection, 
modifications are also made to the security policy etc. 
The modified data is controls data. This data Is used to 
perform a security simulation. The simulation result re- 
flects the controls adopted by the risk assessment. Con- 
sequently, the simulation result obtained takes account 
of the result of the risk assessment. 
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D scrlption 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

[0001 ] The present invention relates to the construc- 
tion of a security policy as to an information system, and 
the risk assessment of the information system. 

2. Description of the Related Art 

[0002] With the progression of information and com- 
munications technology, information security of informa- 
tion systems belonging to certain organizations is as- 
suming importance. In recent years, attention is being 
given to the significance of security policies in particular. 
[0003] In the government of Japan, for example, the 
Cabinet Office for National Security Affairs and Crisis 
Management issued "Guidelines for Information Tech- 
nology Security Policy" In Jury, 2000, and the central 
government ministries prepared information security 
policies. 

[0004] Various kinds of guidelines for preparing secu- 
rity policies have been proposed internationally. Among 
the global guidelines receiving attention in recent years 
is a British standard called BS7799. Part 1 of this stand- 
ard has also been included in ISO. 
[0005] BS7799 was established in 1995 by British 
Standards Institution (BSI). This BS7799 defines funda- 
mental control items (also referred to as controls) , a 
summary of best practice in information security. 
[0006] BS7799 consists of two parts, or Part 1 : exe- 
cution guideline for information security management 
and Part 2: specifications for an information security 
system. Part 1 shows the best practice, providing the 
guideline for advising management. Part 2 provides the 
standard that defines how a management framework is 
evaluated and certified for conformance; Part 1 
(BS7799-1) has been included in ISO as ISO 17799. 
[0007] Part 2 of this BS7799 chiefly provides require- 
ments for an ISMS (Information Security Management 
System) framework, and detailed controls that present 
specifics of the controls on information security. 
[0008] The requirements for an ISMS framework per- 
tain to the system's security policy, control objectives, 
controls, document control, record management, and so 
on. This BS7799 also requires that the appropriate 
scope of the information security management system 
be determined and a proper risk assessment be per- 
formed In establishing a framework. 
[0009] Fig. 2 shows an overview of the establishment 
of a framework. As shown in this diagram, at step 1 , a 
security policy is defined. At step 2, the scope of the 
information security management system is deter- 
mined. 

[0010] Incidentally, this diagram is a quotation of Fig. 
1 in Part 2 of BS7799. 



[0011] At step 3, a risk assessment is undertak n. At 
step 4, individual risks are managed. 
[0012] Atst p 5, control bjectives and controls t b 
implemented on the information security management 
5 system are selected. 

[001 3] At step 6, a statement of applicability for apply- 
ing the control objectives and controls selected above 
is prepared. 

[0014] As above, in establishing a management 

10 framework, it is essential to define a security policy and 
perform a risk assessment (step 3). 
[0015] Conventionally, the security policy has been 
constructed by acquiring actual conditions of an Infor- 
mation system and conditions of an ideal information 

15 system humanly by various means. The security policy 
and the conditions of the information system have been 
used to perform a risk assessment humanly by hand. 
[001 6] To perform a risk assessment typically requires 
that "threats," "vulnerability," "impact," and "asset val- 

20 ues" to/of the information assets (property) be identified 
to determine the degree of risk. 
[0017] For example, in "Guidelines for Information 
Technology Security Policy" mentioned above, the risk 
assessment is defined as one of the procedures for risk 

25 analysis. The risk assessment as employed in the doc- 
ument is performed as follows: 

(1) Initially, investigate the threats surrounding the 
information assets. The threats are classified into 

30 physical threats, technical threats, human threats, 
etc. The physical threats include intrusion, destruc- 
tion, and failure. The technical threats include un- 
authorized access and tapping. The human threats 
include operation mistakes, abusing extraction, and 

35 misconduct. 

(2) Perform a risk assessment on each threat. The 
assessment is made from the frequency of occur- 
rence of that threat and the scale of damage in cas- 
es when the threat occurs. By intuition, the product 

40 of the frequency of occurrence and the scale of 
damage typically is the magnitude of the risk. 

[0018] In this way, conventional risk assessments 
have been conducted humanly by hand. 

45 [0019] Incidentally, the present inventor has pro- 
posed, in Japanese Patent Application Nos. 
2000-164819 and 2001-132177, apparatuses and 
methods for creating a security policy by making inquir- 
ies to organization members, and grasping the current 

so conditions from the responses. 

[0020] As employed in the present application, "or- 
ganizations" refer to not only business enterprises but 
also other organizations including government and mu- 
nicipal institutions and various incorporations such as 

55 foundations. 

[0021 ] As abov , risk assessments have convention- 
ally been executed humanly by hand based on con- 
structed security policies and the conditions of the infor- 
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mation systems. 

[0022] It is desirable, however, that risk assessment 
could be xecuted automatically based on the configu- 
ration of the information systems wh nth configuration 
is clear from the information such as the conditions of 
the information systems. The reason is that the auto- 
matic execution could lighten user effort. 
[0023] In addition, it is convenient that the controls on 
the information systems could be modified based on the 
results of the risk assessments before simulations are 
performed based on the resulting configuration. The 
reason is that the modifications to the controls could be 
speedily checked for effects. 

SUMMARY OF THE INVENTION 

[0024] The present invention has been achieved in 
view of the foregoing. It is thus an object of the present 
invention to execute a risk assessment based on a se- 
curity policy and the configuration of the current infor- 
mation system. 

[0025] To achieve the foregoing object, the present in- 
vention provides a risk assessment method comprising: 
a first conversion step of converting a security policy and 
information-system-related information into a first data 
format based on a predetermined application program- 
ming interface, the first data format being a data format 
intended for risk assessment; and a risk assessment 
step of executing a risk assessment based on the secu- 
rity policy and information-system-related information 
converted. 

[0026] The conversion into the data format intended 
for risk assessment facilitates executing a risk assess- 
ment. In particular, when the risk assessment is execut- 
ed by a program, the data can be supplied to the pro- 
gram as is. 

[0027] The present invention also provides the risk 
assessment method, further comprising: a modification 
step of modifying either one or both of the security policy 
and the information-system- related information based 
on the result of assessment at the risk assessment step; 
a second conversion step of converting either one or 
both of the security policy and the information-system- 
related information modified at the modification step into 
a second data format based on the application program- 
ming interface, the second data format being a data for- 
mat intended for security policy construction; and a sim- 
ulation step of performing a simulation as to security 
based on the security policy and information-system-re- 
lated information in the second data format. 
[0028] The conversion into the data format intended 
for security policy construction facilitates performing a 
simulation in constructing a security policy. In particular, 
when the simulation is performed by a program, the data 
can be supplied to the program as is. 
[0029] The present invention also provides the fore- 
going risk assessment method, wherein the simulation 
at the simulation step checks if security is provided. 



[0030] Because of such configuration, it is possibl t 
find out the effect of the configuration modified by the 
risk assessment n security. 

[0031] The present invention also provides a security 
5 policy construction method including the second risk as- 
sessment method mentioned above, further comprising 
a security policy construction step of constructing the 
security policy reflecting a result of the simulation. 
[0032] Because of such configuration, it is possible to 
10 reflect the result of the risk assessment on the construc- 
tion of the security policy. 

[0033] The present invention also provides a program 
for making a computer execute a first conversion step 
of converting either one or both of a security policy and 

15 information-system-related information into a data for- 
mat intended for risk assessment based on a predeter- 
mined application programming interface. 
[0034] The present invention also provides a compu- 
ter program product comprising a computer usable me- 

20 dium having computer readable code thereon .including 
program code for making a computer execute a first con- 
version step of converting either one or both of a security 
policy and information-system-related information into 
a data format intended for risk assessment based on a 

25 predetermined application programming interface. 
[0035] Because of such configuration, it is possible to 
convert the security policy etc. into the data format in- 
tended for risk assessment. 

[0036] The present invention also provides a program 
30 for making a computer execute a second conversion 
step of converting either one or both of a security policy 
and information -system-related information into a data 
format intended for security policy construction based 
on a predetermined application programming interface. 
35 [0037] The present invention also provides a compu- 
ter program product comprising a computer usable me- 
dium having computer readable code thereon .including 
program code for making a computer execute a second 
conversion step of converting either one or both of a se- 
40 curity policy and information-system-related information 
into a data format intended for security policy construc- 
tion based on a predetermined application programming 
interface. 

[0038] Such configuration facilitates converting the 
<5 security policy etc. into the data format intended for se- 
curity policy construction and performing a simulation in 
constructing the security policy. 

BRIEF DESCRIPTION OF THE DRAWINGS 

50 

[0039] 

Fig. 1 is a conceptual diagram showing a risk as- 
sessment operation of an embodiment; and 
55 Fig. 2 is an explanatory diagram showing an over- 
view of the establishment of a BS7799 framework, 
a quotation f Fig. 1 in BS7799 Part 2. 
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DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

[0040] Hereinafter, an mbodiment of th present in- 
vention will be described with reference to the drawings. 
[0041] Fig. 1 shows a conceptual diagram for explain- 
ing a risk assessment operation according to the 
present embodiment. 

[0042] Initially, a security policy construction program 
8 constructs a security policy 1 0. Such a security policy 
construction program 8 preferably uses a program that 
the present inventor has described in Japanese Patent 
Application No. 2001-132177. 

[0043] This security policy construction program 8 
outputs not only the security policy 10 but also a current 
system 1 2 and an information asset 13 that are used for 
the security policy construction. 
[0044] The information asset 1 3 is information indicat- 
ing the configuration of the information system. This in- 
formation includes system information, network infor- 
mation, and information that covers human resources, 
facilities, and equipment. The system information chiefly 
concerns the host and clients of the information system, 
and the network information the configuration of the net- 
work. 

[0045] The current system 1 2 is information on the or- 
ganization's outline, structure, etc. This information in- 
cludes information concerning the organizational archi- 
tecture on the execution and maintenance of the secu- 
rity policy. 

[0046] The current system 1 2 and the Information as- 
set 13 con-espond to an example of the information-sys- 
tem-related information as stated in the claims. The se- 
curity policy 8, the current system 12, and the informa- 
tion asset 1 3 are in a data format defined by the security 
policy construction program (a data formal intended for 
security policy construction). 

[0047] While the present embodiment deals with the 
case where the security policy 10 is constructed by the 
security policy construction program 8, the security pol- 
icy may be constructed manually. 
[0048] An external API interface 1 4 is a program for 
converting the security policy 1 0, the current system 1 2, 
and the information asset 13 into a data format intended 
for risk assessment according to the specifications of a 
predetermined API (Application Programming Inter- 
face). 

[0049] Here, the predetermined API is a protocol in- 
cluding the data format intended for risk assessment, 
the data format intended for security policy construction, 
and conversion rules between these formats. 
[0050] That is, in the present embodiment, "convert- 
ing into a data format intended for risk assessment ac- 
cording to the specifications of a predetermined API" re- 
fers to converting from the data format intended for se- 
curity policy construction, defined by the foregoing API, 
to the data format intended for risk assessment. Fig. 1 
shows the converted data as data 16 for risk assess- 



ment. 

[0051 ] In the present embodiment, a risk assessment 
program 20, a program for xecuting a risk assessment, 
is used to execute a risk ass ssment automatically. The 

5 present embodiment is characterized in that the data 
format understandable to this risk assessment program 
20 is defined in the form of the API. When such an API 
is defined, the security policy 10, the current system 12, 
and the information asset 13 can be converted accord- 

10 ing to this API so that the converted security policy 1 0 
etc. are supplied to the risk assessment program 20. 
[0052] The risk assessment program 20 executes a 
risk assessment based on the security policy 1 0, the cur- 
rent system 12, and the information asset 13. The 

is present embodiment deals with the case where this risk 
assessment program 20 is a program for executing a 
risk assessment under BS7799 mentioned above. 
[0053] The risk assessment program 20 executes the 
foregoing risk assessment. Then, It outputs the result of 

20 the assessment, or a risk assessment report 22. 

[0054] In the risk assessment, controls are also se- 
lected as appropriate based on the result of the risk as- 
sessment. This is parallel to the description of Fig. 2. 
Depending on the result of the selection, modifications 

25 are also made to the current system 1 2 and the security 
policy 10. Fig. 1 shows the modified data as controls 
data 24. 

[0055] In the present embodiment, the external API 
interface 14 converts the controls data 24 Into the data 

30 format intended for security policy construction. Fig. 1 
shows the converted data as controls data 26. 
[0056] The present embodiment is characterized in 
that the controls established in the process of risk as- 
sessment can be reflected on the construction side of 

35 the security policy. 

[0057] As shown in Fig. 1 , a security simulation pro- 
gram 30 performs a security simulation by using the con- 
trols data 26. This security simulation program 30 is a 
program for performing a simulation as to security 

40 strength on the basis of the security policy and the con- 
trols to check If efficient, effective security is provided. 
[0056] In the present embodiment, the security simu- 
lation program 30 performs a simulation based on the 
data (controls data 26) that reflects the result of the risk 

45 assessment. A simulation result 32 Is the result of the 
simulation that reflects the controls adopted by the risk 
assessment. This simulation result 32 can be used for 
security policy construction so that a security policy re- 
flecting BS7799 standards is constructed with facility. 

so [0059] As shown in Fig. 1 , in the present embodiment, 
the security policy construction program 8 may be man- 
ually instructed of the strength of the security policy 
based on the simulation result 32. This allows the con- 
struction of a security policy conforming to BS7799 

55 standards. 

[0060] As has been described, in the present embod- 
iment, the data format intended for security policy con- 
struction, the data format intended for risk assessment, 
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and the conversion rules between these data formats 
are defined in the form of the API. The result of the risk 
assessment can thus be reflected n the construction 
of the security policy. As a result, it is possible to reflect 
the result of the BS7799 risk assessment on the security 
policy so that a BS7799-based security policy is con- 
structed with facility. 

[0061] As above, according to the present invention, 
an application programming interface pertaining to the 
data format intended for risk assessment and the data 
format intended for security policy construction is de- 
fined, and the data formats are converted on the basis 
of the application programming interface. Risk assess- 
ment can thus be conducted smoothly. Besides, the re- 
sult of the risk assessment can be incorporated into a 
security simulation to reflect the result of the risk assess- 
ment on the construction of a security policy. 
[0062] Moreover, according to the present invention, 
a program for converting the data formats based on the 
description of the application programming interface is 
provided. Risk assessment and security policy con- 
struction can thus be performed smoothly. 



Claims 

1 . A risk assessment method comprising: 

a first conversion step of converting a security 
policy and informalion-system-related informa- 
tion into a first data format based on a prede- 
termined application programming interface, 
said first data format being a data format in- 
tended for risk assessment; and 
a risk assessment step of executing a risk as- 
sessment based on said security policy and in- 
formation-system-related information convert- 
ed. 

2. The risk assessment method according to claim 1 , 
further comprising: 

a modification step of modifying either one or 
both of said security policy and said informa- 
tion-system-related information based on the 
result of assessment at said risk assessment 
step; 

a second conversion step of converting either 
one or both of said security policy and said in- 
formation-system-related information modified 
at said modification step into a second data for- 
mat based on said application programming in- 
terface, said second data format being a data 
formal intended for security policy construction; 
and 

a simulation step of performing a simulation as 
to security based on said security policy and in- 
formation-system -related information in said 



B 

second data format. 

3. The risk assessment method according t claim 2, 
wherein 

5 said simulation at said simulation step checks 

if security is provided. 

4. A security policy construction method including the 
risk assessment method according to claim 2, fur- 

10 ther comprising 

a security policy construction step of con- 
structing said security policy reflecting a result of 
said simulation. 

15 5. A program for making a computer execute a first 
conversion step of converting either one or both of 
a security policy and information-system-related in- 
formation into a data format intended for risk as- 
sessment based on a predetermined application 

20 programming interface. 

6. A program for making a computer execute a second 
conversion step of converting either one or both of 
a security policy and information-system-related in- 
formation Into a data format intended for security 
policy construction based on a predetermined ap- 
plication programming interface. 

A computer program product comprising a compu- 
ter usable medium having computer readable code 
thereon , including program code for making a com- 
puter, execute a first conversion step of converting 
either one or both of a security policy and informa- 
tion-system-related information into a data format 
Intended for risk assessment based on a predeter- 
mined application programming interface. 

A computer program product comprising a compu- 
ter usable medium having computer readable code 
thereon .including program code for making a com- 
puter, execute a first conversion step of converting 
either one or both of a security policy and informa- 
tion -system-related information into a data format 
intended for risk assessment based on a predeter- 
mined application programming interface. 
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